Base64 Encoding Explained: What It Is and When to Use It
Base64 turns up everywhere in software development — in JWTs, email attachments, CSS data URIs, API payloads, and more. Yet many developers use it without fully understanding what it is or, more importantly, what it's not. It's not encryption. It's not compression. It's a way to represent binary data as plain text — and once you understand that, everything else falls into place.
What Is Base64?
Base64 is an encoding scheme that converts binary data into a string of 64 printable ASCII characters: A–Z, a–z, 0–9, +, and /. The name comes directly from the size of that alphabet. The encoding works by taking three bytes of binary input (24 bits) and mapping them to four Base64 characters (6 bits each).
This means Base64 output is always roughly 33% larger than the original — a necessary overhead for guaranteed safe text transmission. If the input isn't a multiple of three bytes, padding characters (=) are added to reach the next multiple of four characters.
Why Does Base64 Exist?
Many older protocols — including SMTP (email) and HTTP headers — were designed to transport text, not raw binary data. Sending binary files like images through these systems without encoding often caused corruption, because certain byte values were interpreted as control characters or line endings.
Base64 solves this by guaranteeing the output contains only safe printable ASCII characters. A binary image encoded as Base64 is just a long string of letters and numbers that can travel through any text-based system without modification or corruption.
Common Use Cases
CSS and HTML data URIs: Small images and icons can be embedded directly in CSS or HTML as Base64 strings, eliminating extra HTTP requests. This is useful for critical above-the-fold images or assets in offline-capable apps. The trade-off is that data URIs are larger than their originals and cannot be cached separately by the browser.
JSON API payloads: JSON is a text format, so sending binary files — images, PDFs, audio clips — inside a JSON body requires Base64 encoding. You'll see this pattern frequently in REST and GraphQL APIs that accept file uploads as part of a structured payload.
JWT tokens: JSON Web Tokens use a variant called Base64URL to encode the header and payload. This makes the token URL-safe and human-readable when decoded in a tool like a JWT decoder, though remember: it's only signed, not encrypted — anyone can read the payload.
Email attachments: MIME encoding uses Base64 to attach binary files to email messages. Every attachment your email client has ever sent was Base64-encoded under the hood.
Base64 Is Not Encryption
This is the most important thing to understand about Base64: it provides zero security. Anyone who sees a Base64 string can decode it instantly — no key, no password, no effort. If you Base64-encode a password and store it somewhere, it is effectively stored in plain text.
Base64 is pure encoding — a reversible, deterministic transformation that changes the representation of data, not its confidentiality. For actual security you need encryption (like AES for confidentiality) or one-way hashing (like SHA-256 for password storage), depending on your use case.
Base64URL: The URL-Safe Variant
Standard Base64 uses + and /, both of which are special characters in URLs. Base64URL substitutes these with - and _ respectively, making encoded data safe to include in URLs and HTTP headers without percent-encoding. JWTs, OAuth tokens, and many modern web standards use Base64URL rather than standard Base64 — a distinction worth keeping in mind when debugging token issues.
Encode and Decode in Your Browser
Modern browsers expose btoa() for encoding and atob() for decoding in JavaScript. Node.js provides a Buffer class for the same purpose. For quick work during development or debugging, the TinyTool Base64 encoder/decoder handles it instantly — no sign-up, no server round-trips, your data stays entirely in the browser.